Bill S-4 (Historical)

Mr. Speaker, I hope I will not put my hon. colleague from Brandon—Souris on the spot to ask a question that relates to what the government House leader has done here. I do not have decades of parliamentary experience, but it is certainly unusual to have a bill from the Senate brought here to be sent to committee. This is a parliamentary procedure that I have not encountered before.

I am very curious as to why we are going through this unusual S. O. 73 approach, as opposed to the normal second reading that is followed by the bill going to committee. I wonder if he can enlighten me as to the procedural manoeuvring that we see for Bill S-4.

Mr. Speaker, I would remind the House that we are debating a motion to refer Bill S-4 to committee before it passes second reading.

The member who just spoke talked about all the good aspects of Bill S-4, and yet he voted against my Bill C-475, which proposed more or less the same things, if not better protections for Canadians.

However, my question is more about the Supreme Court decision regarding a provision of this bill related to personal data. We do not know whether the Conservatives plan to change this provision during the study in committee.

Is the member who just spoke afraid that this bill will be considered unconstitutional? If not, why does he not want to consider the Supreme Court's decision in the Spencer case in relation to this bill?

Mr. Speaker, I am pleased to rise today and speak in support of Bill S-4, the digital privacy act.

Last April the Minister of Industry announced Digital Canada 150, an ambitious plan for Canadians to take full advantage of the opportunities of the digital age. It is a plan that sets clear goals for a connected and competitive Canada in time for our 150th birthday in 2017.

One of the five pillars of Digital Canada 150 is protecting Canadians. Our government understands that in order for Canadians to take advantage of opportunities in the digital age, we must protect Canadians' private information in the digital world.

Previously our government has taken action to protect Canadians by introducing Canada's cyber security strategy and Canada's new anti-spam law. Bill S-4 adds to our record of standing up for Canadians in the online world.

This bill introduces measures to update PIPEDA, the Personal Information Protection and Electronic Documents Act, by setting out specific rules that businesses and organizations would have to follow whenever personal information was lost or stolen.

I was pleased to see that the member for Terrebonne—Blainville supports this bill and I am looking forward to her support when the bill comes to a vote in the House. In fact, the member said about the bill, “We have been pushing for these measures and I'm happy to see them introduced.”

Data breaches continue to be a major challenge to the privacy and security of citizens around the world. For example, this past summer JPMorgan Chase & Co., one of the largest banks in the U.S., was the victim of an attack that affected the accounts of 76 million households and seven million small businesses. Home Depot recently confirmed that 56 million payment cards were impacted in a breach of its payment card systems that lasted for five months.

Worldwide, there were between 575 million and 822 million data breaches in 2013. In the U.S. alone, nearly 92 million records were compromised in 2013.

Currently PIPEDA contains no obligations for businesses or organizations to tell customers when their personal information has been lost or stolen. I am pleased to tell the House that Bill S-4 introduces measures to address this issue. The bill creates new requirements under PIPEDA for reporting losses, theft, or other unauthorized access to personal information that may result from accidental or malicious activity.

These provisions would ensure that Canadians can take action to protect their personal information in the event of a privacy breach, while also encouraging businesses to adopt better information security practices. Organizations that deliberately ignored these requirements would face penalties of up to $100,000 per offence.

Let me explain how the new provisions will work.

Under Bill S-4, an organization that suffers a privacy breach would be required to notify affected individuals if there is a risk of significant harm. The organization would also have to report the breach to the Privacy Commissioner of Canada.

In fact, the interim Privacy Commissioner, Chantal Bernier, said that this bill contains “...very positive developments for the privacy rights of Canadians”. She was pleased that the government had addressed issues such as breach notifications.

The bill identifies the factors an organization would have to consider when determining whether or not there was a real risk that some form of significant harm would occur as a result of a privacy breach.

First, the organization would have to consider the sensitivity of the personal information. Second, the organization would have to consider the probability that the stolen information would be misused—for example, whether the data was encrypted, how much time had passed between the occurrence of the breach and its detection, and whether the cause of the breach was a malicious attack or was accidental.

Let me say again that by law, an organization would be required to notify individuals as soon as a breach was confirmed. If an organization determined there had been a breach, it would also have to notify other organizations in order to reduce the potential risk for the individual whose information was compromised. For example, if a store experienced a breach of its customer records, it would have to notify the relevant credit card companies or financial institutions.

Let me draw the attention of the House to a key element of these data breach requirements, which is that the bill would require organizations to keep records of all data breaches and provide this information to the Privacy Commissioner upon request. This would give the commissioner the ability to oversee data breach reporting and notification requirements. The Privacy Commissioner would be able to request these data breach records at any time. There would be no need for him to be conducting an audit or investigation when he requests them.

Bill S-4 includes heavy fines for companies that knowingly contravene these new requirements. Companies that deliberately failed to report a data breach to the commissioner or failed to notify individuals would face fines of up to $800,000. This could be up to $100,000 for every individual not told. Similarly, companies that deliberately cover up a data breach by not keeping these records or by destroying them could also face fines of up to $100,000.

Some might ask why there is a need for penalties related to data breach notification, given that most organizations comply with the Privacy Commissioner's guidelines for voluntary notification already. The government recognizes that many organizations already notify individuals of data breaches in a responsible manner; however, some do not. These penalties would target the bad apples, those organizations that willfully and knowingly disregard their obligations or, worse, cover up a breach.

Canadians know that our government takes their privacy concerns very seriously. I look forward to the continuation of this debate as we work with the opposition on how we can best protect Canadians in our digital world.

Mr. Speaker, I thank my colleague from Saanich—Gulf Islands for her very specific information.

I think it is a waste of our time to talk about where it is written or how this is good and so on. Canadians' rights and privacy are being threatened. That is what we need to be looking at. We need to work together on Bill S-4.

That is why we want to refer it to committee.

Mr. Speaker, in response to the question from my hon. friend from Kootenay—Columbia, perhaps my hon. colleague from the official opposition would find it helpful to refer to the opinion of Michael Geist, who is an expert in this area of law, cited with approval by the minister in Debates just before we broke. He has said that the Supreme Court of Canada decision on Spencer is directly on point and that the Supreme Court rejected the view advanced by government ministers. The government argued in committee that:

In the instance of PIPEDA, because of the type of information provided in a pre-warrant phase, such as basic subscriber information, it would be consistent with privacy expectations and therefore it's not really putting telecoms, for example, in some unique position in terms of police investigations.

Professor Geist went on to say that the Supreme Court of Canada rejected this view in terms of Spencer, concluding that “there is a reasonable expectation of privacy in the subscriber information”. Therefore, there is a very clear link between the reasoning of the Spencer decision and the bill before us, Bill S-4.

Mr. Speaker, I am pleased to rise today to speak to the motion to refer Bill S-4, the Digital Privacy Act, to a committee before second reading. I would also like to take this opportunity to congratulate my colleague from Terrebonne—Blainville, who has done such an outstanding job on this file.

Bill S-4 has a number of shortcomings and must be amended, which is why we would like to send this bill to committee before second reading.

I will give some details about the bill in order to put it in context. Bill S-4 amends the Personal Information Protection and Electronic Documents Act to compel private sector organizations to disclose any loss or breach of personal information. So far, so good. It also sets out sanctions to be imposed on organizations that fail to comply with that obligation. Again, so far, so good.

However, the proposed criterion for mandatory reporting is subjective, because it allows organizations to determine themselves whether it is:

...reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

In my opinion, this major flaw in the bill needs to be corrected. Why make laws if we are going to ask the organizations to enforce them themselves? I have my doubts. That is like giving a minister full power. That does not work either.

Bill S-4 would also give the Privacy Commissioner new powers to enter into compliance agreements with organizations that, according to the Commissioner, have failed to respect the provisions in the legislation, leaving the personal information of Canadians vulnerable. So far, so good.

Bill S-4 adds exceptions under which personal information may be collected, used or disclosed without an individual’s consent. The bill would make it easier for organizations to share personal information with each other without the consent of individuals, if the organizations are engaged in a process leading to a prospective business transaction.

The NDP absolutely disagrees with this type of provision. It is really not good for consumers. People will receive more advertising and unsolicited communications. We do not really need that in our consumerist society.

In other words, the bill allows an organization to disclose private client information under certain circumstances. If a company has my private information, for example, it can share it with another company, which can then do whatever it wants with that information. The next thing I know, I am receiving ads, or other unwanted things, at home. I do not think that is right. That is a very significant flaw in the bill.

Bill S-4 also amends provisions in the law that define the situations in which a person whose private information has been lost or compromised by a security breach can apply to the Federal Court for a hearing after receiving the Commissioner’s report or having been informed of the end of the complaint investigation. The bill extends the timeframe from 45 days to one year for a complainant to make an application to the court. I have to admit, that is a useful provision because it gives people more time to figure things out. It gives them a chance to analyze the situation and make a decision about whether to go or not go to court.

Bill S-4 also requires organizations to maintain a record of all breaches of security safeguards involving personal information under their control. This record could eventually be audited by the Office of the Privacy Commissioner of Canada. Again, I see some small flaws that open the door to subjectivity. I am not convinced of the merits of this provision.

My party and I are extremely concerned about the fact that Bill S-4 contains a provision that allows organizations to more easily share personal information without a warrant, without the consent of the clients and without an appropriate oversight mechanism. That is very worrisome and should be amended right away.

Given a recent Supreme Court of Canada decision, this provision will very likely be deemed unconstitutional. It is therefore important that the government comply with the Supreme Court's decision and remove from the bill all clauses relating to the warrantless disclosure of personal information.

The government has a very poor track record when it comes to protecting personal information. Although Bill S-4 contains some good provisions, it will not erase the past. The bill must therefore be amended so that it really meets the needs of Canadians and complies with international privacy standards.

In just one year, under this Prime Minister's government, government organizations secretly made over 1.2 million requests to telecommunications companies for personal information without a warrant and without proper oversight. I think that is all I need to say for people to understand that this is a concern. The government should have taken advantage of the opportunity afforded by Bill S-4 to correct the flaws that led to many violations of Canadians' privacy.

Finally, because of the government's inaction, the law has not been updated since the introduction of the new generation of iPods, iPads, iPhones and the like. We have fallen far behind in terms of international standards. Bill S-4 therefore does not go far enough and does not make the proper amendments to adequately protect Canadians in today's digital age.

There is still much to be done to adequately protect the privacy of Canadians. The government would do well to take this issue seriously.

Mr. Speaker, I heard several of the Conservative members' speeches. They gave 10-minute speeches on Bill S-4. That is nice, but we are debating a motion to refer it to committee before second reading. I did not hear a single member explain why that would be necessary.

My New Democratic and Liberal colleagues said that they hope to be able to fix some of the legislative problems with the bill before us. The Conservatives want us to send it to committee, but they do not seem to be acknowledging that their bill is problematic.

Can the member tell Canadians why the government is using an unusual measure to send this bill to committee? So far, the Conservative government has not explained its intentions at all.

Mr. Speaker, I am very pleased to rise today in strong support of Bill S-4, the digital privacy act. I am also pleased to be able to tell Canadians young and old, as well as businesses, exactly what this bill would do for them.

Bill S-4 would provide important updates to our private sector privacy law, called the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA. This bill is all about keeping our laws up to date in the rapidly burgeoning digital economy.

The biggest thrust in the protection of Canadians' online privacy, which we eagerly and sometimes maybe too eagerly jump to use, as this is a place where we go to surf, shop, and sell things, is to improve the protection of people's privacy. Our government understands that for a strong digital economy to work and for people to feel confident using this technology, they have to know that they are receiving those protections.

We have consulted very widely with business, with consumer advocates, and with a lot of real people, like moms and dads, to come up with this bill. Our consultations have shown one thing that is very clear, which is that people value their privacy. It is very important to Canadians. As a country, we regard it as a fundamental right, and we expect our personal information to have certain protections. All of us want to be able to embrace this great opportunity that is the web, and we want to have trust and confidence that our information will be protected when we are out there swiping our credit cards, punching in our PIN and pass codes, and giving out our names and addresses at stores and other places where we do businesses. Really, we are putting the details of our personal lives out there in the hands of businesses and other organizations.

Earlier this year, our government launched Digital Canada 150. This was an ambitious plan to give Canadians confidence that they can take advantage of the full opportunities of the digital age. One of the main pillars of Digital Canada 150 is protecting Canadians, and that is where Bill S-4, which we are talking about today, comes in. It would take what is already one of the world's best privacy regimes and make it even better.

The digital privacy act has five key areas, and I would like to touch on each one and explain for my hon. colleagues why each one is necessary.

The first area is mandatory notification if there are data breaches. These are requirements for companies to let us know if our personal information has been lost and there is a potential to expose us to harm. The time frame companies would be given to do this under this bill would be as soon as was feasible. For example, if a company's computer system was hacked and the clients' credit card information was stolen, the company might need a week to put a fence around it and figure out how many people had been affected and let us, as consumers, know. If the data breach or the hacker was more sophisticated, it might take the company a couple of weeks to figure out everyone who was affected and let us know. There would be some flexibility, but one thing that would be very clear would be that companies could not delay notifying us when there was this kind of breach.

If a company was hacked and it failed to notify clients in the shortest time frame possible, it could be taken to court by the Privacy Commissioner or by individuals. In addition, if a company willfully covered up a data or privacy breach, it could be charged up to $100,000 for every client that had not been notified. We see that these are very significant penalties. Recent revelations that large everyday retailers we deal with, such as Target and Home Depot, were victims of cyberattacks underscores the need for this legislation.

Also, the Privacy Commissioner would have to be notified, so if an organization deliberately covered up a privacy breach or intentionally failed to notify individuals or the Privacy Commissioner, again it could face significant fines.

The second set of changes in Bill S-4 deals with the rules around vulnerable individuals, especially kids.

The government examined this issue very closely as well and talked with experts and other interested parties. Based on this, it put new measures in the digital privacy act that would make it very clear that to give valid consent for information to be collected online, a person's age would have to be taken into account. For example, if one had a website specifically targeted at children and wanted to collect information, one would need to put in something like a pop-up that would say, “before filling in this information, go get your mom and dad”. Children's interests would now be put forward, and that would have to be done using very simple language.

These measures would put more power in the hands of consumers and would keep them better informed when they were out there doing business involving the worldwide web. They would also encourage businesses to adopt better privacy practices.

At the same time as we would be adding new privacy protections, we would also be removing some red tape. The third set of changes would ensure that businesses could collect data they needed to do legitimate business things. I want to stress that these changes would be limited and very much common sense. For instance, believe it or not, right now businesses are breaking the law if they give their own employees' email addresses to customers and clients without the employees' permission. Things like that just do not make sense.

These amendments would let businesses use personal information produced at work; disclose information, such as employees' salaries, that might be important if one were buying or selling a business; use information that might be contained in a witness statement to process an insurance claim; and keep information that is necessary in a regular employee-employer relationship. Businesses would be able to use this information to support normal day-to-day business activities, but, and there is a big but, they would still have to make sure that the privacy of that information was protected and not compromised. If they did not play by the rules, companies could be named and shamed and taken to court and fined.

The fourth group of amendments would allow certain information to be shared without necessarily first allowing for a person's consent if it was shown to be in the public interest or in that person's interest to do so. It would harmonize federal law with Quebec law, Alberta law, and British Columbia's private sector data protection acts.

One might ask what kind of instance that would be. For example, it would protect seniors from financial abuse if a bank noticed that there was some untoward activity going on in their accounts. It would allow emergency, police, or medical officials to communicate with a person's family if the person were injured or deceased.

Who would enforce all of this?

PIPEDA is enforced by the Privacy Commissioner of Canada, who acts like an ombudsman and who would get stronger tools in this legislation. The Privacy Commissioner could turn a matter over to the Federal Court if an organization were breaking the rules, and the court could levy fines and order the company to clean up its act. As well, citizens could personally take companies to Federal Court to order them to change their practices or could ask the court to award personal damages.

The bill would also boost the time available for a complaint if one was going to take an organization to court. It used to be 45 days, but under this proposed legislation, it would grow to a year.

Finally, the digital privacy act would create a new tool that would be an alternative to court action. The Privacy Commissioner could negotiate a binding deal with a company to make significant changes to comply with the legislation in exchange for not being taken to court.

This is all about confidence. It is about the consumer having confidence when having their personal information used so that they can do trade and commerce. They can surf the web. They can buy and sell with confidence and know that they and their families are safe online.

Bill S-4 would provide the necessary updates we need to privacy laws to protect consumers. It is a major part of our government's digital economic strategy, Digital Canada 150, and I urge all hon. members in this House to join with me and support this important piece of legislation.

Mr. Speaker, I would just like to note, parenthetically, that I disagree with my hon. colleague from Winnipeg North about whether we got the right balance on cyberbullying in Bill C-13.

However, let me get back to Bill S-4. Is it not just a question, more than whether this is a warrantless act or semantics, whether Bill S-4 would withstand a Supreme Court challenge in light of the Spencer decision? I would ask my hon. colleague for his comments.

Mr. Speaker, I listened to my Liberal colleague's speech with great interest. He seems to be very concerned about protecting Canadians' personal information. That is something we should all be concerned about.

However, when it came time to vote, the Liberal Party supported Bill C-13. I am perplexed. They seem to be saying one thing but voting another. Can the member clarify whether the Liberals plan to support Bill S-4? They are saying one thing now, but will they change their minds when it is time to vote?

Mr. Speaker, it is with pleasure that I rise to speak to Bill S-4 this afternoon.

It is an important piece of legislation, as it at least attempts to deal with an issue that many Canadians are quite concerned about. They see the merit of the government introducing legislation on how Canadians can be protected. However, there is also a great deal of concern about the manner in which the Conservative government, as it has in the past, appears to be attempting to overstep concerns related to privacy and protecting the privacy of Canadians.

We have before us Bill S-4 this afternoon. It attempts to deal with and expand warrantless access to subscribers' data. This is an issue which can no doubt be exceptionally controversial. It is something that needs to have more consultation and work with the different stakeholders so that we do not make mistakes.

As suggested in the bill's title, this bill has come from the Senate. There were concerns upon its departure from the Senate and entry into the House regarding the constitutionality of the legislation. I have found that quite often the government will bring legislation into the House in anticipation that it will ultimately pass, yet a great deal of concern has been expressed regarding the degree to which it would be in compliance with Canada's Constitution, the Charter of Rights, and so forth.

Time and time again, I have heard it suggested, and I have suggested it myself, that the government needs to be more forthright in providing information which clearly shows that the legislation it is bringing forward would pass our laws. More often than not, we do not receive the legal opinions from the department giving clear indication that the legislation being debated is in fact constitutional and will pass the Supreme Court. That is important to note, for the simple reason that when the House of Commons passes legislation and it gets challenged, it costs literally millions of dollars, especially if the government has done it wrong.

The idea of seeing Bill S-4 go to the committee is something we are quite comfortable with. Going through the summary of the bill gives us the sense of the scope we are dealing with. The act would amend the Personal Information Protection and Electronic Documents Act to do a litany of things. It covers quite a broad area. We have expressed a great deal of concern about some of it to the Liberal Party critic.

The primary concern we have is ensuring that the privacy of Canadians is being respected. Checks need to be put into place to ensure that there is accountability.

Let me give members a couple of very specific examples of what the legislation is proposing. This comes from the summary of the bill itself. It would “permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of...”

Here it lists some very specific things. These are:

(i) identifying an injured, ill or deceased individual and communicating with their next of kin,

(ii) preventing, detecting or suppressing fraud, or

(iii) protecting victims of financial abuse;

As I said, there are a litany of things. One that really caught my eye and that I think is a very strong positive is related to the Privacy Commissioner. The bill says, “modify the information that the Privacy Commissioner may make it public if he or she considers that it is in the public interest to do so”.

We have seen an expansion of the role, if I can put it that way, of the Privacy Commissioner, and giving more authority to him or her. Through the legislation, we are also seeing more penalties being brought in.

This is not only the first but the second piece of legislation over the last number of months dealing with privacy. It was not that long ago that I was speaking to Bill C-13, the protecting Canadians from online crime act. It deals with cyberbullying. Canadians have little tolerance for cyberbullying and the types of things that take place.

Bill C-13 focuses a great deal of attention on the distribution of pictures without consent onto the Internet. We had some difficulty with Bill C-13, as we do with Bill S-4, but we ultimately ended up supporting the legislation because we recognized how important it was to stop cyberbullying. There were concerns with that legislation just like there are concerns with this particular piece of legislation.

We would like the government to provide more answers and be a bit more transparent about what it hopes to achieve with this legislation. We call upon the government to do just that in anticipation of the bill going to committee where it will be changed in order to provide some comfort to Canadians with respect to their privacy. Privacy is an issue that the Liberal Party takes seriously. Our party critic has had the opportunity to express many of our concerns with regard to it.

Bill S-4 would allow for warrantless requests of companies. Telecom companies and service providers could be approached in order to access personal information.

Over the last decade we have seen an explosion of technology in the computer and Internet areas. Who would have thought 15 or 20 years ago that we would be where we are today? In many ways we are playing catch-up in terms of trying to bring forward legislation in order to protect Canadians. Canadians have great access to the Internet as a whole. Many things are done through the Internet and unfortunately, at times, people are exploited, so we need bills such as Bill S-4 to deal with that.

Today we are talking about corporations getting personal information about people living in Canada who ultimately go to a particular telecom provider. That means company x could request specific information from a telecom provider about a particular customer who is being serviced by that provider. All of us should be concerned about that. All of us should want to do what we can to ensure that the privacy of Canadians is respected and that there are checks in place to ensure no abuse is taking place.

What we are talking about are warrantless requests. People would be surprised to know that in 2011, almost 800,000 warrantless requests by telecom companies were documented. People would be amazed to know the amount of information that leaves Canada through the Internet via, for example, the United States and ultimately comes back into Canada. The U.S. national security agency no doubt has access to a lot of Canadians' personal information.

At the end of the day, the bottom line is that the government has a responsibility to provide assurances to Canadians that their right to privacy is being protected. This is the greatest concern I have as the bill continues to go forward.

The challenge is to ask the government to provide the necessary amendments that would protect and provide assurances to Canadians that their privacy would in fact be protected. I am very concerned that private corporations, on a whim, could say a copyright has been infringed, or there is a perceived illegal activity and then are able to get personal information on Canadians.

Mr. Speaker, it is my pleasure to address this motion by the government to have Bill S-4 go to committee before second reading, which is a rare event in the House. This is a procedure that was made possible for the first time in 1994 amendments. I believe it stemmed from the 1982 McGrath committee's report that said that committees should more often be used at the early stages of legislation to make sure that things are caught and that a wide variety of perspectives are taken into account in drafting legislation and, frankly, to make the role of MPs more meaningful than is often the case when a bill is studied only after second reading in committee.

As we know, in committee after second reading, and after hearing any amount of testimony from witnesses that could suggest serious problems with a bill, the amendments are often extremely constrained by the rule that they must fit within the principle of the bill. Quite often that means that the principle is understood by the chair or the legal staff advising the chair as simply the principle of a given provision, and therefore, an attempt to work more broadly than the narrow purpose of a given provision is often ruled out of order.

Beyond that, I have found so far in committees, since arriving in the House, that there seems be a reluctance at the moment, on the part of the advisers to chairs, to understand that bills can often have multiple purposes and not just a single purpose. Therefore, in the end, after second reading, committee work often really is an exercise in frustration, because a lot could be done to perfect a bill that is technically ruled out of order due to the fact that we have to work within the principle of the bill as voted at second reading.

It is great that this bill is going to committee before second reading. It will hopefully allow, in the spirit of what this procedure is all about, a full, frank hearing, from all kinds of witnesses, about the problems I hope the government understands are in this bill. I hope this is also the reason the minister has decided to send it to committee before second reading. There can be true dialogue and engagement among MPs, obviously with the government watching what is going on and giving its input through government MPs, so that this bill is taken apart and rewritten in the way this procedure would allow.

I myself stood in the House to move unanimous consent to have Bill C-23, what New Democrats called the unfair elections act and the government called the fair elections act, referred to committee before second reading, exactly for the reasons I have just given. There were so many obvious problems in the bill. Not sticking to the principle in the bill and working collegially across party lines would have benefited the study of that bill. In retrospect, New Democrats realize how true that was. Although we got serious amendments passed, with pressure from backbench members of the government suggesting changes that helped us in our efforts, that bill would be much better if it had gone to committee before second reading.

There is another procedure that, in the spirit of openness, I am hoping the minister might consider. To date, it has not been the practice of the government to table opinions about the constitutionality or charter compliance of a bill. Given the real concerns that exist with respect to warrantless access to information that is contained in this bill as kind of a compendium bill to Bill C-13, I would ask the minister to please consider, for once, having the Department of Justice table a written opinion on the constitutionality of this. Why does it think that the Spencer judgment coming out of the Supreme Court of Canada does not apply or, if it applies, that the bill is written in a way that justifies it under the charter?

So often in committee there is minimal to no good testimony from the civil service side on why, supposedly, the Minister of Justice has certified that a bill is in compliance with the charter. We know that the standard for the minister doing that is a very minimalist standard.

I will read from the Senate testimony on Bill S-4 from Michael Geist, of the University of Ottawa, to tell the House why having that additional procedure as part of the referral to committee before second reading would be useful. He says:

Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both [to] past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).

That is an extremely good summary of a core problem with the bill in terms of the fears it raises that it has gone too far. It would purportedly create an updated regime to protect privacy and in the process would potentially ram through new problems with respect to Canadians' privacy.

I would like to now, in my last couple of minutes, go over a few points that I hope come up in committee.

I wish to thank a constituent, Mr. John Wunderlich, an expert in privacy law, who worked with me on the weekend to better understand the bill. These are points that I hope do have discussed.

In paragraph 4(1)(b) of the act, the definition of who this would apply to would move from just employees to employees and applicants for employment. In that context, this leaves hanging the question of how much or how little this would apply to companies whose business is to conduct background checks. The committee should solicit feedback on this. In my view, the background check function in the employment sector is done far too often and too deeply and already constitutes a systemic privacy invasion in the employment sector. Therefore, this extension needs to be looked at.

The next thing is the definition of valid consent. While it is welcome, because it brings clarity, the committee should note whether the current systems asserting consent on the web actually provide meaningful information to web surfers about just how many entities will be given access to either some or all of their personal information. Right now, there is a real risk that so-called valid consent, as outlined in the bill, would actually piggyback on the systematic sharing of information that people have no idea is being shared. The act could become a smokescreen behind which individual profiles were built and shared across businesses.

I have already spoken about the potential for the warrantless invasion of privacy because of the fact that organizations could seek information from others when they are simply investigating breaches of agreement or fraud. We should keep in mind that when they are investigating fraud, it is not just in the criminal context. All of this involves civil questions as well. An example is fraudulent misrepresentation.

The “real risk of significant harm” test for companies in particular to decide whether they are going to inform the commissioner and at another stage inform persons of breaches of privacy is a problematic standard in the sense that it is actually very general, and it is probably too low. There should be a presumption for disclosure to the commissioner, and it should be left up to the commissioner to either determine, or assist the company in determining, whether this is significant enough to let the persons whose information was released know that it happened. At the moment, it is an entirely discretionary system, based on a very vague standard, which may mean that data will be breached without people actually knowing it and being able to take the measures necessary to protect themselves.

Those are only three of the more specific concerns that need to be looked at. There is a lot in the bill.

I have a final comment, and it may be a rather strange one. I am looking at my colleague across the way. The privacy legislation from Alberta should be looked at very closely as a reference point for whether the government has gotten certain things wrong. That province has gotten things right.

Mr. Speaker, today it is my absolute pleasure to express my support for Bill S-4, the digital privacy act. When the industry minister released Digital Canada 150, our government's plan to guide Canada's digital future, he set out clear goals to put our country at the forefront of the digital economy.

One of the five pillars of this ambitious plan is “protecting Canadians”. In order to realize the full benefits of the digital plan and the digital world, Canadians must have confidence that their online activities are secure and that their online privacy is protected through strong measures like the digital privacy act.

This government is taking concrete action to make sure that Canadians and their families are protected from online threats. Protecting Canadians online is particularly important when we consider the most vulnerable segments of our society. Indeed, as the Internet becomes present in virtually every aspect of our economy, and our children's homework, it is also becoming an essential element in our children's lives.

A recently released survey conducted last year by MediaSmarts, a charitable organization dedicated to digital and media literacy, revealed that in 2013, 99% of Canadian students were able to access the Internet outside of their school. When online, students play games, download music, television shows and movies, and socialize with their friends and family.

The survey reveals that over 30% of students in grades 4 to 6 have Facebook accounts, and that by grade 11, my daughter's year, 95% of students have an account. However, with this increased online presence comes increased risk. As we have seen, young people can unfortunately become targets of online intimidation and abuse. This government has acted to protect our children from cyberbullying and other similar threats.

In addition to responding to the very real and harmful threats related to cyberbullying, this government is also acting to protect the privacy of minors and other vulnerable individuals through proposed amendments to the digital privacy act.

In our modern digital economy, our children must be able to go online in a safe and secure way if they are to develop the skills they will need later to find jobs in the digital marketplace. The online world has the potential to provide considerable benefits for our children's education and development, and it can greatly enrich their social lives.

At the same time, going online can expose children to privacy risks. For example, minors can be subject to aggressive behavioural marketing tactics, or they could have their personal data collected and shared without truly understanding what is being done. There is the potential for long-term privacy consequences.

The digital privacy act includes an amendment to Canada's private sector privacy law to strengthen the requirements around the collection, use, and disclosure of personal information, which will increase the level of protection for vulnerable Canadians such as children. Specifically, the digital privacy act clarifies that when a company is seeking permission to collect, use, or disclose personal information from a specific group of individuals such as children, then the company must make sure that an average person, such as a child in that group, would be able to understand what is going to happen with the information.

An example is the best way to illustrate how the proposed amendment will work. Imagine, for example, an educational website that is designed primarily for elementary school children. Under the proposed amendment, any request by that website to collect, use, or disclose personal information would need to be worded in such a way that it is understandable by the average elementary school student. This not only includes making sure that the wording and language used in the request is age appropriate, but that the request itself is appropriate as well. If it is not reasonable to expect that the average elementary-aged child would understand the purpose and consequences of them clicking “okay”, then under the digital privacy act the company would not have valid consent.

Minors under the age of majority are more vulnerable and require additional protections. At the same time, privacy protection for children must reflect their level of maturity and psychological development. It must respect that.

That is why our government has ensured that the flexibility inherent to the act which allows the application of contextual privacy protections is reflected in our proposed amendment. The ability of teenagers to understand what is being done with personal information and their ability to make decisions about what they will and will not agree to is completely different from what elementary school children are capable of.

As they age, minors become more able to make sound decisions about themselves and what is being done with their personal information. Therefore, a website directed, for example, to grade 12 students, should not explain what it intends to do with information and seek consent in the same way that an educational website for elementary school students would. The process is similar; the means are different.

The proposed amendment adjusts for this difference by focusing on what is reasonable to expect of the group of individuals being targeted by the company's product or service.

The former interim privacy commissioner strongly supported this proposed amendment when speaking to the Senate committee that was studying the bill last spring. This is what the Office of the Privacy Commissioner said in its written submission to that committee:

We think this is an important and valuable amendment that will clarify PIPEDA’s consent requirements. By requiring organizations to make a greater effort to explain why they are collecting personal information and how it will be used, this proposed amendment should help make consent more meaningful for all individuals, particularly for young people for whom the digital world is an integral part of their daily lives.

As an added protection, PIPEDA has always recognized that parents or other authorized representatives have the right to provide consent on behalf of an individual, including children. Indeed, the responsibility and commitment to protect the privacy of children and other vulnerable Canadians is absolutely a shared one. Parents, governments, educators, as well as charities in the private sector, all have a central role to play in protecting the online privacy of our children.

The government firmly believes that digital literacy and skills are at the core of what is needed for individuals to succeed in today's online economy. Understanding by parents, educators, and children of the relevance and importance of protecting online privacy is a central component of digital literacy.

The government supports the role that the Office of the Privacy Commissioner of Canada is playing in educating Canada's youth about the importance of online privacy and helping them to not only understand the impact that online services and applications can have on their privacy but also helping them make wise, smart decisions.

For example, the office of the commissioner created a graphic novel called Social Smarts: Privacy, the Internet and You. It was designed to help young Canadians better understand online privacy issues. They have also created tools to support parents and educators as they seek to protect children's online privacy. A discussion guide and privacy activity sheets have been developed to help them work with children to explore and understand privacy risks associated with social networking, mobile devices, texting, and online gaming.

The government is committed to protecting the privacy of Canadians. The digital privacy act takes concrete action to protect the most vulnerable members of our society, and that includes our children. At the same time, this legislation respects the growth of our children as they approach adulthood. It is measured and graduated because of that.

I hope all hon. members will join me in supporting this very important bill.

Mr. Speaker, I have another question for my colleague.

The government's bill is called the Digital Privacy Act. However, we now know that the Conservative government does not have the best record in the world when it comes to protecting privacy. It lost track of a significant amount of Canadians' personal information. It passed Bill C-13, which gives statutory immunity to Internet service providers who decide to voluntarily hand over personal information. There is no shortage of examples: government agencies made at least 1.2 million requests to Internet service providers in just one year.

Does the hon. member not have any misgivings about this? Will the government really make good changes during the review of this bill in committee?